As the digital world transitions towards passwordless authentication, Apple’s iOS 18 marks a great update with its advanced passkey features. The introduction of automatic passkey upgrades, support for the PRF extension, and enhanced WebAuthn functionalities for related origins are set to redefine user authentication. This article analyzes these key updates, highlighting their implications and technical underpinnings.
Automatic Passkey Upgrades: A Seamless Transition
One of the standout features in iOS 18 is the automatic passkey upgrade facilitated through Apple’s new Passwords app. This process hinges on the WebAuthn Conditional Registration Extension, which allows for the automatic creation of a passkey during a password autofill event. The upgrade occurs seamlessly after the Passwords app autofills a user’s credentials, triggering a Face ID or Touch ID scan that authorizes the creation of a non-phishable passkey. This approach ensures that users transition from passwords to passkeys without the need for manual intervention, enhancing both security and user experience.
How It Works Technically
The technical implementation of this feature involves detecting browser capabilities to support the passkey upgrade. Currently, Safari 18 is the only browser that supports this functionality, with other browsers expected to follow suit. The process is initiated by checking the browser’s client capabilities using the getClientCapabilities()
method. If the browser supports conditional creation, the passkey is automatically generated and stored securely, ready to be used for future authentications.
Support for PRF Extension: Enhancing Cryptographic Functions
iOS 18 also introduces support for the Pseudo-Random Function (PRF) extension within WebAuthn. This extension enables websites to perform cryptographic operations beyond simple authentication, making it a valuable tool for end-to-end encryption. By integrating the PRF extension, developers can now generate symmetric keys tied to a user’s credential, which can be used to encrypt and decrypt sensitive data. This feature is particularly useful for applications requiring high security, such as encrypted communications or secure vaults.
Use Cases for PRF Extension
The PRF extension opens up a range of possibilities, from securing user communication to encrypting data within password managers. By leveraging this feature, developers can enhance the security of their applications while ensuring that encryption keys remain tightly bound to the user’s credentials.
WebAuthn Support for Related Origins: Simplifying Cross-Domain Authentication
Another critical update in iOS 18 is the expanded WebAuthn support for multiple related origins. Traditionally, WebAuthn credentials were confined to a single domain, limiting their use across different but related domains. With the new update, Apple has introduced a mechanism where a well-known URL can be used to list authorized origins, allowing passkeys to be shared across multiple domains within the same organization.
Implementation and Benefits
This feature is particularly beneficial for companies operating under multiple domains or international websites, as it simplifies the deployment of WebAuthn without compromising security. The adoption of this method is expected to reduce barriers to WebAuthn adoption while maintaining the stringent security standards that users expect.
Apple’s Strategic Move Towards a Passwordless Future
Apple’s commitment to a passwordless future is evident in these updates. By integrating these features into its ecosystem, Apple is setting the stage for seamless and secure authentication experiences across devices. As other major players like Microsoft and Google are likely to follow suit, it’s clear that the future of user authentication is moving towards passkeys.
For developers and product managers, staying updated with these changes is crucial. The continuous evolution of WebAuthn and passkey technologies necessitates keeping a close eye on browser and operating system updates to ensure a consistent and secure user experience across platforms.
Find out more on our detailed blog post.
Top comments (0)